1--- 2layout: "docs" 3page_title: "Using PGP, GPG, and Keybase" 4sidebar_current: "docs-concepts-pgp-gpg-keybase" 5description: |- 6 Vault has the ability to integrate with OpenPGP-compatible programs like GPG 7 and services like Keybase.io to provide an additional layer of security when 8 performing certain operations. This page details the various GPG 9 integrations, their use, and operation. 10--- 11 12# Using PGP, GPG, and Keybase 13 14Vault has the ability to integrate with OpenPGP-compatible programs like GPG 15and services like Keybase.io to provide an additional layer of security when 16performing certain operations. This page details the various PGP integrations, 17their use, and operation. 18 19## Initializing with PGP 20One of the early fundamental problems when bootstrapping and initializing Vault 21was that the first user (the initializer) received a plain-text copy of all of 22the unseal keys. This defeats the promises of Vault's security model, and it 23also makes the distribution of those keys more difficult. Since Vault 0.3, 24Vault can optionally be initialized using PGP keys. In this mode, Vault will 25generate the unseal keys and then immediately encrypt them using the given 26users' public PGP keys. Only the owner of the corresponding private key is then 27able to decrypt the value, revealing the plain-text unseal key. 28 29First, you must create, acquire, or import the appropriate key(s) onto the 30local machine from which you are initializing Vault. This guide will not 31attempt to cover all aspects of PGP keys but give examples using two popular 32programs: Keybase and GPG. 33 34For beginners, we suggest using [Keybase.io](https://keybase.io/) ("Keybase") 35as it can be both simpler and has a number of useful behaviors and properties 36around key management, such as verification of users' identities using a number 37of public online sources. It also exposes the ability for users to have PGP 38keys generated, stored, and managed securely on their servers. Using Vault with 39Keybase will be discussed first as it is simpler. 40 41## Initializing with Keybase 42To generate unseal keys for Keybase users, Vault accepts the `keybase:` prefix 43to the `-pgp-keys` argument: 44 45``` 46$ vault init -key-shares=3 -key-threshold=2 \ 47 -pgp-keys="keybase:jefferai,keybase:vishalnayak,keybase:sethvargo" 48``` 49 50This requires far fewer steps that traditional PGP (e.g. with `gpg`) because 51Keybase handles a few of the tedious steps. The output will be the similar to 52the following: 53 54``` 55Key 1: c1c04c03d5f43b6432ea77f3010800... 56Key 2: 612b611295f255baa2eb702a5e254f... 57Key 3: ebfd78302325e2631bcc21e11cae00... 58... 59``` 60 61### Unsealing with Keybase 62As a user, the easiest way to decrypt your unseal key is with the Keybase CLI 63tool. You can download it from [Keybase.io download 64page](https://keybase.io/download). After you have downloaded and configured 65the Keybase CLI, you are now tasked with entering your unseal key. To get the 66plain-text unseal key, you must decrypt the value given to you by the 67initializer. To get the plain-text value, run the following command: 68 69``` 70$ echo "c1c0..." | xxd -r -p | keybase pgp decrypt 71``` 72 73And replace `c1c0...` with the encrypted key. 74 75You will be prompted to enter your Keybase passphrase. The output will be the 76plain-text unseal key. 77 78``` 796ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101 80``` 81 82This is your unseal key in plain-text and should be guarded the same way you 83guard a password. Now you can enter your key to the `unseal` command: 84 85``` 86$ vault unseal 87Key (will be hidden): ... 88``` 89 90- - - 91 92## Initializing with GPG 93GPG is an open-source implementation of the OpenPGP standard and is available 94on nearly every platform. For more information, please see the [GPG 95manual](https://gnupg.org/gph/en/manual.html). 96 97To create a new PGP key, run, following the prompts: 98 99``` 100$ gpg --gen-key 101``` 102 103To import an existing key, download the public key onto disk and run: 104 105``` 106$ gpg --import key.asc 107``` 108 109Once you have imported the users' public keys, you need to save their values 110to disk as either base64 or binary key files. For example: 111 112``` 113$ gpg --export 348FFC4C | base64 > seth.asc 114``` 115 116These key files must exist on disk in base64 or binary. Once saved to disk, the 117path to these files can be specified as an argument to the `-pgp-keys` flag. 118 119``` 120$ vault init -key-shares=3 -key-threshold=2 \ 121 -pgp-keys="jeff.asc,vishal.asc,seth.asc" 122``` 123 124The result should look something like this: 125 126``` 127Key 1: c1c04c03d5f43b6432ea77f3010800... 128Key 2: 612b611295f255baa2eb702a5e254f... 129Key 3: ebfd78302325e2631bcc21e11cae00... 130... 131``` 132 133The output should be rather long in comparison to a regular unseal key. These 134keys are encrypted, and only the user holding the corresponding private key 135can decrypt the value. The keys are encrypted in the order in which specified 136in the `-pgp-keys` attribute. As such, the first key belongs to Jeff, the second 137to Vishal, and the third to Seth. These keys can be distributed over almost any 138medium, although common sense and judgement are best advised. 139 140### Unsealing with a GPG 141Assuming you have been given an unseal key that was encrypted using your public 142PGP key, you are now tasked with entering your unseal key. To get the 143plain-text unseal key, you must decrypt the value given to you by the 144initializer. To get the plain-text value, run the following command: 145 146``` 147$ echo "c1c0..." | xxd -r -p | gpg -d 148``` 149 150And replace `c1c0...` with the encrypted key. 151 152If you encrypted your private PGP key with a passphrase, you may be prompted to 153enter it. After you enter your password, the output will be the plain-text 154key: 155 156``` 1576ecb46277133e04b29bd0b1b05e60722dab7cdc684a0d3ee2de50ce4c38a357101 158``` 159 160This is your unseal key in plain-text and should be guarded the same way you 161guard a password. Now you can enter your key to the `unseal` command: 162 163``` 164$ vault unseal 165Key (will be hidden): ... 166``` 167